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^ . Abstract 

<. 

, A polar coding scheme is introduced in this paper for the wire-tap channel. It is shown that the provided scheme 

achieves the entire rate-equivocation region for the case of symmetric and degraded wire-tap channel, where the 

weak notion of secrecy is assumed. For the particular case of binary erasure wire-tap channel, an alternative proof 

is given. The case of general non-degraded wire-tap channels is also considered. 

HH ■ 
C/3 ' 

, ^, ' I. Introduction 

^ I Channel coding via the method of channel polarization is provided by Arikan in |2|. On a binary-input discrete 

^ ' memoryless channel (DMC), polarization ends up with either 'good bits', i.e., binary channels whose capacity 

lO approaches 1 bit per channel use, or 'wasted bits', i.e., channels whose capacity approaches zero. The fraction of 

Lj the good bits is equal to the mutual information with equiprobable inputs (which equals the capacity for the case of 

ly-^ symmetric channels). In a physically degraded setting, as mentioned in |l2l, an order of polarization is maintained 

O , in the sense that 'good' bits for the degraded channel, must also be 'good' for the better channel. 

y—i , For a standard single-user channel coding problem, the polar coding scheme is based on transmitting the uncoded 

^ information bits over the capacity approaching channels (when we interpret the polarization as a kind of a precoding 

^ or pre-processing). At the same time, fixed and predetermined bits are transmitted over the channels whose capacity 

H , approaches zero. These predetermined bits are still needed in the successive decoding process, hence they can not 

be ignored. 

A secrecy polar scheme is suggested in this paper for the wire-tap channel. A secret message needs to be 
transmitted reliably to a legitimate user. At the same time, this message must be kept secret from the eavesdropper. 
At the first part of this paper, it is assumed that the marginal channel to the eavesdropper is physically degraded 
with respect to the marginal channel to the legitimate user. The proposed secrecy polar scheme for the degraded 
case is based on transmitting random bits on the 'good bits' of the degraded eavesdropper channel. These random 
bits are independent of the secret message. At the legitimate receiver, the random bits can be decoded reUably. 
This is because the 'good bits' for the degraded eavesdropper channel are also 'good' for the legitimate user. The 
rest of the 'good' bits for the legitimate user are dedicated for the secret message. Additional independent works 
on this subject are provided in 11311 II 1411 II15I . 

Transmitting random bits on the 'good bits' of the eavesdropper, all the possible information rates that can be 
detected by the eavesdropper are exhausted. Otherwise, the standard channel capacity could have been beaten. Thus 
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the 'good bits' associated with the secret message for the legitimate channel, must be perfectly secret (at least in 
the weak sense). Note that this result is satisfied immaterial of whether the eavesdropper adheres to successive 
decoding or to optimal decoding (as otherwise, its capacity could have been beaten). It is first shown that the 
provided scheme archives the secrecy capacity for the considered model. The result is then generalized to the enitre 
rate-equivocation region. This result is proved under a weak notion of secrecy. For the particular case of binary 
erasure wire-tap channel, an alternative proof is provided, based on algebraic arguments. This different notion of 
proof may contribute to a stronger notion of security. 

At the second part of the paper, the secrecy polar scheme is adapted for the general, i.e., non-degraded wire-tap 
channel. This scheme is based on a conjecture on possible polarization properties of some of the 'bad' indices of the 
eavesdropper. To this end, the polarization of the 'bad' bits is concerned while the decoder has perfect knowledge 
of some of the 'good' bits (which are no longer part of the transmitted message, but they are kept predetermined 
and fixed). The question regarding this aspect is whether the additional information helps in decoding these bits 
or do they keep their original 'bad' polarization. The original polarization result in lH does not fully cover this 
scenario. 

This paper is structured as follows: In Section HIl preliminary introduction is provided. In Section Hl-AI the wire- 
tap communication model is introduced in addition to some basic definitions and results in information-theoretic 
security. Polar codes are introduced in Section ITl-B I The polar secrecy scheme is detailed and studied in Section Hill 
A conjecture on possible polarization properties is stated in Section |IVj along with a resulting adaptation of the 
polar secrecy scheme for non-degraded wiretap channels. A list of possible further generalizations is provided in 
Section |Vl 

II. Preliminaries 

A. The Wire-Tap Communication Model 

We consider the communication model in Figure [T] A coded system is presented which transmits a confidential 
message C/ to a legitimate user. The message U is chosen uniformly from a set of size M. Next, the message is 
encoded to a codeword X with a blocklength n over an alphabet X. The resulting code-rate is, R= - log M. The 
codeword X is transmitted over a communication channel Py,z\x with one input, and two outputs. The transmission 
is assumed to take place over a DMC P, with an input alphabet X, and output alphabets y and Z. Let P(y, z|x) 
denote the probability of receiving the vectors y G 3^", and z G Z", at the legitimate user and the eavesdropper, 
respectively, given that a codeword x G X^ is transmitted. Based on the assumption that the channel is memoryless, 
it follows that 

n 

P(y,z|x) = JJP(yfc,2;fckfc) 
fc=i 

where (with some abuse of notation) P{y,z\x) denotes the probability of receiving the symbols y G y and z £ Z, 
at the legitimate user and the eavesdropper, respectively, given that the symbol x £ X is transmitted. Moreover, let 
G{y\x) and Q{z\x) denote the marginal probabilities for receiving the symbols y £ y and z £ Z, at the legitimate 
user and the eavesdropper, respectively, given that the symbol x £ X is transmitted. Both G{y\x) and Q{z\x) 
are transition probability laws of DMCs, called the marginal channels of the legitimate user and the eavesdropper, 
respectively. In addition, the probability to receive the symbol z £ Z at the eavesdropper, given that the symbol 
y £ y is received at the legitimate user is denoted by D{z\y). 

The channel output vectors Y and Z, both of length n, are received by the legitimate user and the eavesdropper, 
respectively. The legitimate user decodes the received vector Y resulting in the decoded message U. The objectives 



E. HOP AND S. SHAMAI: SECRECY-ACHIEVING POLAR-CODING FOR BINARY-INPUT MEMORYLESS SYMMETRIC WIRE-TAP CHANNELS 3 



Message 
U 



Encoder 





Channel 
Py,z\x 


Y 


X 














F,a 



Legitimate user 



Decoder 



U 



Eavesdropper 



Fig. 1: A wire-tap communication model. 



of the considered coding system is to obtain both secure and reliable communication. These objectives are to be 
accomplished simultaneously using a single codebook C„. The reliability of the system is measured via the average 
error probability Pt{Cn) of the decoded message 

M 

Note that the error probability depends on the blocklength of the coded message. The level of security is measured 
by the equivocation rate 



Re{Cn 



1 



n 



H{U\Z) 



(1) 



where H{U\Z) denotes the conditional entropy of the transmitted message U, given the received vector Z at the 
eavesdropper. 

Definition 1 (Achievable rate-equivocation pair). A rate-equivocation pair {R, R^) is achievable if there exists a 
code sequence {C„} of block length n and rate R such that 

lim P,{Cn) = 

n— >oo 

i?e < lim i?e(Cn). 

n— )-oo 

Remark 1 (On strong and weak notions of secrecy). The current discussion considers normalized entropies to 
measure the level of security (see the definition of equivocation rate in ([T])). Therefore, the achieved secrecy notion 
is referred to as weak secrecy. The strong notion of secrecy considers the unnormalized mutual information between 
the confidential message and the received vector at the eavesdropper receiver. Strong secrecy guarantees secrecy in 
the weak sense while the opposite direction does not follow. 

Definition 2 (Secrecy capacity). The secrecy capacity Cs is the supremum of all the rates R, such that the pair 
(i?, R) is an achievable rate-equivocation pair. 

Theorem 1 (The secrecy capacity of the wire-tap channel [IJ). The secrecy capacity C^ of the wire-tap channel 
satisfies: 

a = max {I{U; Y) - I{U; Z)) 

PuxPyzix 



where U is an auxilary random variable over the alphabet U, satisfying 
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1) Markov relationship: [/ — > X — > (y, Z) is a Markov chain. 

2) Bounded cardinality: \U\ < X + 1. 

Binary-input symmetric wire-tap channels are considered in this paper. 

Definition 3 (Symmetric binary input channels). A DMC with a transition probabiUty p, binary-input alphabet 
X, and an output alphabet 3^ is said to be symmetric if there exists a permutation vr over 3^ such that 

1) The inverse permutation tt^^ is equal to vr, i.e., 

7r~^(2/) =7r(y) 

for all y ^ y. 

2) The transition probability p satisfies 

piy\0) = pi7Tiy)\l) 

for all y G y. 

Definition 4 (Symmetric binary-input wire-tap channels). A binary input discrete memoryless wire-tap channel 
is symmetric if both of its marginal channels are symmetric. 

The particular case of physically degraded channels is studied in this paper. 

Definition 5 (Physically degraded channels). Let P be a wire-tap channel with an input alphabet X and output 
alphabets y and Z, at the legitimate and eavesdropper, respectively. Then, P is said to be physically degraded if 

P{y,z\x) = G{y\x)D{z\y) (2) 

for all X G A", y G 3^, and z ^ Z. 

The following Theorem characterizes the secrecy capacity of a binary-input, memoryless, symmetric and degraded 
wire-tap channel: 

Theorem 2 (lUl)' Let P be a binary-input, memoryless, symmetric, and degraded wire-tap channel. Denote by 
Gy\x and Qz\x the marginal channels to the legitimate user and the eavesdropper, respectively. Then, the secrecy 
capacity C^ is given by 

a{P) = C{Gy\x) - C{Qz\x) 

where C{Gy\x) ^i^d G{Qz\x) ^rs the channel capacities of the marginal channel Gy\x and Qz\x^ respectively. 

Remark 2 (On the entire rate-equivocation region). Theorem |2] is a particular case of the rate-equivocation 
region of less-noisy channels (which is on its own a particular case of the rate-equivocation region of the wire-tap 
channel). Under the notation in Theorem[T] if I{U; Y) > I{U; Z) for every U satisfying the Markov relationship in 
Theorem [H then the channel to the legitimate receiver is said to be less noisy than the eavesdropper (the degradation 
assumption in (|2]) satisfies the less noisy condition). It can be shown for the case of less-noisy wire-tap channels, 
that the rate-equivocation region is given by 

{0<R<I{X;Y) 
{R,Re): 0<R,<R 
Re <I{X-Y) -I{X;Z) 

For further details and proof see |[T1 and references therein. In the particular case of binary-input, memoryless 
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symmetric and degraded wire-tap channels as in Theorem |2j the rate-equivocation region is therefore given by 

0<R< C{Gy\x) 
{R,Rc): 0<Re<R } . (3) 

Re < CiGY\x) - C{Qz\x) 



B. Polar Codes 

This preliminary section offers a minimal summary of the basic definitions and results in ||2l, fSj, that are essential 
to the presentation of the results in Section |llll 

Let p be a transition probability function of a DMC with a binary input-alphabet X = {0, 1} and an output 
alphabet 3^. The operation of the channel on vectors is also denoted by p, that is for x = {xi, . . . , Xn) € <^", and 
y = (2/I1 • • • ; y™) £ 3^"' the block transition probability is given by 

n 

1=1 

Polar codes are defined in this section using the following recursive construction. At the first step, two independent 
copies of p are combined to form a new channel p2 over an input alphabet ^^ and output alphabet y'^. The transition 
probability function of the combined channel is given by 

P2{yi,y2\ui,U2) = p{yi\wi + W2)p{y2\w2) (4) 

for all 2/1,2/2 G y, and wi,W2 G X, where the addition operation is carried modulo 2. At the i-th step of the 
construction, the transition probability function pn, n = 2*, is defined for a combined channel with an input 
alphabet X^ and an output alphabet y^. The recursive definition of pn is based on two independent copies of the 
channel pn, defined at the previous step (i — 1). The channel pn has an input alphabet X^ and an output alphabet 
y^ . The construction of the channel p„ includes the following steps: 

1) An input vector w = {wi, . . . , Wn) G X^ is first transformed to a vector s = (si, . . . , s„) G <Y" where 

S2k~l = W2k~l + W2k 

and 

n 
S2k = X2k, l<k<- 

where the addition is carried modulo 2. 

2) The vector s is transformed into a vector v G X"^ where 

V = (Si, S3, . . . , Sn-l,S2, Si,... , Sn). 

i.e., the first ^ elements of v, t>i, . . . , tin equal the elements in s with odd indices, and the rest ^ elements of 
V, vn.+i, . . . ,Vn equal the elements of s with even indices. This operation is called a reverse shuffle operation 
and can be described by the linear transformation 

V = sRn 

where i?„ is an n x n matrix, called the reverse shuffle operator. 
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3) Pn(y|w) is given by 

Pn(y|w) =p^ (^(yi,y2,...,y^j \ {vi,V2, ■ ■ ■ ,vrjj pii ((y^+i, y^+2, . . . ,y„j | (v!i+i,vr+2, ■ ■ ■ ,Vnjj ■ 

(5) 
The recursive channel-synthesizing operation of pn is referred to as channel combining, and the channel p„ is 
referred to as the combined channel. Note that the resulting block length n for this construction must be a power 
of 2, that is n = 2* for z S N. Throughout this paper, all block lengths n are assumed to be integral powers of 2. 
The recursive construction of pn can be equivalently defined using a linear encoding operation. Let 

F = 

and define the following recursive construction of the n x n matrices G„: 

Gi=h 

Gn = (l^(^F)Rn(l2®GA (6) 




where // is the / x / identity matrix and (g) denotes the Kronecker product for matrices. The matrix G„ is refereed 
to as the polar generator matrix of size n. 

Proposition 1 ([2|). Let p be a DMC, and let p„ be the combined channel with a block length n. Then, 

Pn(yiw)=p(y|wG„) (7) 

for all y £ y^ and w € X", where pn is the combined channel in ^ and G„ is the n x n matrix defined in ^. 

Denote by [n] = {1,2,..., n}, and let An ^ [n]. In addition, denote by A^ the complementary set of An, that 
is An = N \ -^n- Given a set An, a class of coset codes with a common code-rate -|^n| are formed. Over the 
indices specified by An, the components of the input vector w are set according to the information bit vector. The 
rest of the bits of w are predetermined and fixed according to the particular code design. By setting both the set 
An and the components of w specified by An, a particular coset code is defined. This code can be shown to be a 
block coset code. The set An is referred as the information set. Polar codes are constructed by a specific choice of 
the information set An- Moreover, the choice of the information set is tailored to the specific channel over which 
the communication takes place. 

A coset code is defined using a linear block code and a coset vector. Let G be a generator matrix for a binary 
(n, k) linear block code with block length n and dimension k. In addition, let c € X"^ be a binary vector. Then, 
the coset block code C(G, c) is defined by 

C{G, c) ^ |x : X = uG + c, u G ;fn . (8) 

Denote by G„(^„) the \An\ x n sub-matrix of G„, defined by the rows of Gn whose indices are in An- Similarly, 
the matrix GniA'^) denotes the \An\ x n sub-matrix of G„ formed by the remaining rows of Gn- For each choice 
of An and an arbitrary n — k binary vector b € X"^'^, a coset code C is defined according to 

C = C{Gn{An),hGn{A'^)). (9) 

This code coincides with the recursive construction in ([7]). To see this, plug the information vector u in the 
information indices, specified by An, of the input vector w to the recursive construction. In addition, plug the 
vector b in the rest of the components of w . 
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Channel splitting is another important operation that is introduced in 13 for polar coding. The split channels 
{pn }f=i, with a binary input alphabet X and output alphabets 3^" x X'-^^, 1 < I < n, are defined according to: 

pL'^(y,w|x) = ^;^ J2 Pn(y|(w,X,c)) (10) 

where y G y^, w G X''^^, and x G X. The channel synthesizing operation in ( fTOl ) is referred to as channel splitting 
operation. The Bhattacharyya parameter of pn is denoted by: 



B{p^^)^Yl E yp^\yM0)p^n\yMi)- (11) 

The construction of the sequence of sets of split channels {pn (y, w|x)}JL^, n = 2*, i G N, in (ITOl) can be described 
using the following alternative recursion: 

Proposition 2 (13). For alH > 0, 1 < / < 2\ 

pglT'H(y«,y(^)),w|u;i) = Y^ ip«(y«,5(w)|u;i +u;)p«(y(2),e(w)|^) (12) 

pS%{{y^'\y^'^),{^,wi)\w2) =lp'i}{y^'\9M\w,+W2)p^^}{y^''\eM\w2) (13) 

where y(^),y*^^) G 3^^\ w = {wi, ... ,1021-2) S <Y^'"^, t(;i,W2 G '^> the addition operation is carried modulo 2 
and g = {gi, . . . ,gi-i) = ^(w) is a vector in X^^^ defined according to 

Qj = W2J-1 +'W2j, I <j <l-l (14) 

and 

e{w) = {w2,W4,...,W2l-2) (15) 

is the vector in Af'~^ comprises from the components of x with even indices. 

The importance of channel splitting is in its role in the successive cancellation decoding procedure that is provided 
in 121. The error performance analysis of this decoding procedure relies on the following two results: 

Theorem 3 (Q). Let p be a binary-input symmetric DMC with capacity C{p), and fix an arbitrary rate R < C{p) 
and a positive constant /3 < ^. Then, there exists a sequence of information sets An C [n], where n = 2*, z G N, 
such that for large enough blocklengths n the following properties are satisfied: 

1) Rate: 

\An\ > nR. 

2) Performance: The Bhattacharyya parameters in (fTTI ) satisfy 

i?(pW) < 2-^' 
for every / G An- 

Proposition 3 ([2]). Assume that the vector w = {wi, . . . ,Wn) G X"' is encoded via the considered recursive 
construction in Q, and is transmitted over a memory less and symmetric DMC channel p with a binary-input 
alphabet X and an output alphabet y. Define the event 

Slip) = {p^Hy,^^'-'^\wi) <p^\y,^^'-'^\wi + l)] (16) 
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where y € y"' is the received vector, w^'"^) = {wi, . . . , wi^i) is the vector comprises of the first / — 1 bits of w, 
Pn is the spUt channel in (ITOl ) and the addition is carried modulo 2. Then, the event Si is independent with the 
actual input vector w and 

Pr{£iip)) < B{p(^^) 

where B{pn ) is the Bhattacharyya parameter in (fTTIl . 

III. The Proposed Scheme: The Physically Degraded Case 

A. Polar Coding for Degraded Wire-Tap Channels 

Coset Block Codes 

A polar coding scheme is defined for the wire-tap channel. The proposed scheme is defined using the notion of 
coset block codes, based on the polar generator matrix Gjv introduced in Section III-BI For a given block length 
n = 2*, i G N, let An be an arbitrary subset of [n] of size k. In addition, let 7V„ be an additional arbitrary subset 
of An, of size k* , and let b^, G ;i^n-k-k ^^ ^ length n — k — k* binary vector. Denote by Bn the set of remaining 
indices in A^, that is 

Bn = Al\Nn. (17) 

The sets An, Bn, and Nn, the polar generator matrix G„ and the vector b„ are all known to both the legitimate 
user and the eavesdropper. 

Let u G X^ be a confidential information bit vector that needs to be transmitted to the legitimate user. The 
operation of the proposed secrecy scheme is described as follows: 

1) A binary vector b* G X'^' is chosen uniformly at random. 

2) The coset block code C* is chosen according to 

C*^ = C{Gn{An),hnGn{Bn)+KGn{Mn)). (18) 

3) The information vector u is encoded into a codeword x using the coset block code C*. That is, 

X = V.Gn{An) + hnGn{Bn) + KGn{Mn) (19) 

and it is transmitted over the wire-tap channel. 

If the complexity of constructing a random vector is considered as 0{1), then the encoding complexity of the 
proposed scheme equals the encoding complexity of the single-user polar encoding in [2], which is 0{n\ogn). 

For given sets An and Mn, and a vector b„, the resulting coding scheme is denoted by C„(^„, A/'n,b„). Since 
symmetric channels are considered, the performance of the provided scheme is shown in the following to be 
independent with the actual choice of b„. Consequently, the suggested coding scheme is denoted by Cn{An,Mn)- 

Recursive Polar Construction 

An equivalent recursive construction of the proposed scheme is provided. Similarly to the single-user construction 
in dH), the first step of the recursive construction is the composition of the wiretap channel P2 with an input alphabet 
from X'^ and an output alphabet from y"^ x Z"^ 

P2{yi,y2,Zl,Z2\wi,W2) = P{yi,Zi\'Wi + W2)P{y2, Z2\w2) (20) 

where (2/1,2/2) G 3^^> (2:1,22) S 2,"^, {wi,W2) G X^, and the addition is carried modulo 2. 
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The continuation of the recursive construction follows in a similar manner to the recursion in Section III-Bl The 
transition probability function P„ for a channel with an input alphabet A"" and an output alphabet y^ x Z", is 
constructed using two independent copies of a channel Pn. with an input alphabet X^ and an output alphabet 
yi X Z2 , Note that as in Section ITl-BI all block lengths (n) are integral powers of 2. The first part of the recursive 
step includes the evaluation of the vectors s, v G ^". This part is identical to the construction as described in 
Section Hl-BI (steps [Tl and [2l). Finally, the transition probability function P„(y|x) is given by 

P„(y,z|x) =P2L (^{yi,y2, . . . ,y^), {zi, Z2, . . . , Z2i)\{vi,V2, . . . ,V2i)j 

■ -Pf ((yf +1, yf +2, • • • , Vn), {zR+i,ZR+2, ..., Zn)\{vR+l,VR+2, • • • , Vn)j ■ (21) 



The channel P„ in (I2TI ) is the combined wire-tap channel. 

As in the case of standard polar coding for the single-user model, the recursive construction can be shown to be 
equivalent to a linear encoding with the polar generator matrix G„: 

Proposition 4. Let P be a binary memoryless wire-tap channel with an input alphabet X and output alphabets 
y and Z, for the legitimate user and the eavesdropper, respectively. In addition, let i-*„ and G„ be the combined 
wire-tap channel in (|2TI ) and the polar generator matrix in ^, respectively. Then, 

P„(y,z|w)=P(y,z[wG„) (22) 

for all w G A'", y G y, and z G Z"". 

Proof: The proof of (l22l ) is identical to the proof of (jT]) in [2|, where symbols from the output alphabet of the 
single user channel are replaced with the corresponding pair of symbols from the composite output alphabet (of 
the legitimate and the eavesdropper channels). ■ 

To obtain the equivalence of the recursive construction of the combined channel P„ in ((2TI) with the encoding 
operation in ( fT9l) . the division of the components of w in (l22l) for information bits, random bits and predetermined 
and fixed bits, is detailed. This division is defined by the sets An and Mn as follows: 

1) Over the indices specified by the index set An, the information bits u are placed. 

2) The random bits b* are placed in the indices specified by J\fn- 

3) The predetermined and fixed bits in b„ are left for the remaining indices specified by Bn- 

Plugging u, b* , and b^ in wGn, results in the coded message x in (fT9l l. 

Channel Splitting and Degradation Properties 

The channel splitting operation in (ITOl ) is repeated for the case of wire-tap channels. This procedure can be 
carried in two different but equivalent options: 

1) First performing a channel splitting operation for the wire-tap channel. This operation results in the split 
wire-tap channels {P„ }[Li with a binary input alphabet X and an output alphabet y^ x Z"^ x X^~^: 

P«(y,z,wH^^ Y, P„,(y,z|(w,u;,c)) (23) 

where y G y^, z G Z"', w G X^~^, and w ^ X. Next, deriving the marginal split channels 

G«(y,w|«;) ^ Yl P^i'\y,^,^H (24) 

zeZ" 
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and 

q1')(z,w|^) ^ Yl Pi'Hy,^Mw) (25) 

for the legitimate-user and eavesdropper, respectively, where y, z, w, and w are as in (|23]) . 
2) First deriving the marginal combined channels: 

Gn(y|w)^ 5] P„(y,z|w) (26) 

and 

Q„(z|w)^ Y^ Pn(y,z|w) (27) 

yey- 

for the legitimate user and eavesdropper, respectively, where y € 3^", z G Z", and w € ^". Next, split the 
marginal combined channels in (l26l ) and (l27l ) according to 



^ J] G„(y|(w,u;,c)). (28) 



2" 



and 

^ J] Q„(z|(w,u;,c)) (29) 



where y, z, w, and w are as in (I231 ). 

It is an immediate consequence of the equivalence properties in dTJl and (|22l) . that the split channels in (l24l) and 
(|25] ) equal to the channels in (l28]l and ( |29l ). 

The following proposition considers physically degraded wire-tap channels: 

Proposition 5. Assume that the wire-tap channel P is physically degraded. Then, the split channel P„ (y, z, w[x) 



in (1231 ) satisfies 

P«(y,z,w|x) = GW(y,w|x)Z?(z|y) (30) 

where Gn is the marginal split channel of the legitimate user in (l24l ). y = (yi, • • • , yn) G 3^". z = (zi, . . . , 2;„) G 
2^", u E ^'^^, x G ^, D(z|y) is a memoryless transition probability law: 

n 

D{z\y)=llD{zi\y,) 
1=1 

and D{z\y) is the conditional probability law of receiving a symbol z £ Z at the eavesdropper, assuming that the 
symbol y £ y is received at the legitimate receiver. 

Proof: The recursion operation in Proposition |2] is valid for the wire-tap channel. Specifically, for all i > 
and 1 < / < 2* it follows that 

wex 
P^fi\{{y^'\y^'y)Az'^'\^^'^)A^,w,)\w,)=lp^J{y^^^ (32) 

where y'^^^y^^-' E 3^^', z(^),z(^) e Z"^', w € A"^'^^, tt;i,tt;2 € X, and ^(vif) and e(w) are as defined in (IT4l ) 
and ( fTSl) . respectively. The proof of the recursion property in ( [3T] ) and ( [32b follows the exact derivation as in ||2l 
(while replacing the output alphabet of the single-user channel with the combined outputs of the legitimate user 



E. HOP AND S. SHAMAI: SECRECY- ACHffiVING POLAR-CODING POR BINARY-INPUT MEMORYLESS SYMMETRIC WIRE-TAP CHANNELS 11 

and the eavesdropper). 

From ( [261 ). ( [3T] ). and ( [32l ). a similar recursion follows for the marginal split channel Gn (y, w|x) of the legitimate 
user. To this end, the recursion operations in (IT2l) and (fT3l) are satisfied where P2i+i , P2i and P2i+i are replaced 
by Gg.+i , ^2, and G^i+i, respectively. 

The proof of the degradation in ( [30l ) is accomplished by induction. At the first step, from ( [3T] ) and ( [32l ) it follows 
that 

-f2 ((yi'y2),(^;i,2:2)kl) = X] 2-^(^1' ^ll^l + ^)^(^2, 22k) (33) 

P2 {iyi^y2),izi^Z2),Wi\w2) =-P{yi,Zl\wi+W2)P{y2,Z2\'W2)- (34) 

Then, plugging Q in (1331 ) and (l34l ) concludes the proof for the first step. Next, assume that the split channel Pg, 
satisfies the degradation property in ( [30l ). That is, assume that 

P29(y,z,w» = Gj?(y,wV)^(z|y) (35) 

for all 1 < / < 2*, y € 3^2\ z € 2:^', w' G A''-\ and w e X. Then, from dlB and ^ it follows that 



wex 

G«(y(2),e(w)|u;)Z)(z(2)|y(2)) 

=GglT^)((y«,y(^)),w|^0 

Z?((z«,z(2))|(y«,y(^))) 

where the last step follows using the recursion properties of the marginal split channel for the legitimate user. A 
similar argument assures the degradation property for -Pg.+i which concludes the proof of the proposition. ■ 

Successive Cancellation Decoding 

The successive cancellation decoding procedure in ^ is applied for the legitimate user. The difference from the 
standard single-user case is that for the wire-tap channel model the legitimate user needs to decode both the message 
u G X^ and the noisy vector b* E X'' . In terms of information sets, the legitimate receiver operates on the indices 
specified by both An and A/'„. Denote by w = {wi, . . . ,Wn) € X"- the transmitted vector over the combined channel 
Pn, then w is composed from the information vector u, the random vector b* , and the predetermined fixed vector 
b„. It is important not to confuse w with the actual codeword x in (|T9l ). which is transmitted over the given wire- 
tap channel P. Both interpretations are equivalent as the coset block code is equivalent to the recursive combining 
construction. Nevertheless, the decoding rule (and its performance analysis in the following) is characterized in 
terms of the vector w, transmitted over the combined wire-tap channel and received over the marginal split channels 
for the legitimate user. 

The decoding rule operates recursively to compute the length-n decoded vector w = {ibi, . . . ,Wn) G X"-. Let 
1 < I < n, and assume that the first / — 1 components of w, denoted by w('~^\ are already evaluated. If / An, 
where 

then the current index I is not in the information index set An and not in the indices specified in 7V"„ for the noisy 
vector. Consequently, / G S„. Recall that for the indices specified by Bn, the predetermined vector b„ is set. Since 
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b^ is predetermined and known (both to the legitimate user and the eavesdropper), wi is known at the receiver and 
therefore it is possible to set 

Wl = Wl. 

If / S An, then the current index is identified either as an information bit in u or as a noisy bit in b*. For this 
case, the following decoding rule is applied to the marginal split channel Gn in (l24l) : 

. Jo ifd')(y,w('-i)lO)>d'^(y,w('-i)|l) 

wi = < . (36) 

I 1 else 

The successive cancellation decoding described in this section, is by no mean optimal. This important observation 
is already noted for the single-user case in lO. Nevertheless, for an uncoded communication model with a 
communication channel whose transition probability function is Gn , the detection rule for the single bit wi in (l36l ) 
is optimal, if wi is an equiprobable bit. 

B. A Secrecy Achieving Property for Degraded Channels 

Theorem 4. Let P be a binary-input, memoryless, degraded and symmetric wire-tap channel with a secrecy capacity 
Cs(P). Fix an arbitrary positive /? < |, and R < Cs(P). Then, there exist sequences of sets An and Mn such that 
the secrecy coding scheme Cn{An,Mn) satisfies the following properties: 

1) Rate: For a sufficiently large block length n 

R<-\An\. (37) 

n 

2) Security: The equivocation rate i?e(Cn(.4„,7V„) satisfies 

lim RJCn{An,^fn)) > R- (38) 

3) Reliability: The average block error probability under successive cancellation decoding P^{Cn{A, M)) satisfies 

P,{Cn{An,Mn))=o(2~^' 

Proof: 
The proof comprises of three parts: A code construction part where the construction of the sets An and Mn is 
described in details, along with the derivation of the coding rate property in (l37l ). An analysis of the equivocation 
rate is provided in the second part of the proof. Finally, in the third part an upper bound on the block error 
probability at the legitimate receiver is provided under successive cancellation decoding. 

Part I: The code construction 

Fix some r* = G{Pz\x) ~ £> ^nd r = G{Py\x) ~ f> where G{Py\x) ^nd G{Pz\x) ^^ the channel capacities 
of the marginal channels for the legitimate user and the eavesdropper, and e > is determined later. According to 
Theorem |3j there exists a sequence of index sets Nn C [n], satisfying: 

1) The cardinality of the index set Nn satisfies 

Wn\>\nr*\. (39) 

2) For all / G M, the Bhattacharyya parameter B{Qn') of the split channel Qn of the eavesdropper in ( |25l ). is 
upper bounded by 

B{Q^^^)<2-'^\ (40) 
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The index set Mn of size \nr*\ is chosen arbitrary from Mn- 

Next, Theorem [3] is applied for the marginal channel of the legitimate user. Accordingly, there exists a sequence 
of index sets An C [n], satisfying: 

1) The cardinality of the index set An satisfies 

\An\>[nr\. (41) 

2) For all / G An, the Bhattacharyya parameter B{Gn ) of the spUt channel Gn of the legitimate user in (|28] |. 
is upper bounded according to 

S(Gi'))<2-"'. (42) 

For each n, the information index set An of size [nr\ — [nr*\ is chosen from An \ A/'n- As |7V„[ = [nr*\ and 
\An\ > [nr\, the set An\Mn is of sufficient size. The specific choice of An may be carried arbitrarily. Nevertheless, 
the best choice is to pick the indices in An\Mn whose corresponding marginal split-channels for the legitimate-user 
have the lowest Bhattacharyya parameters. 

The code rate of the resulting scheme satisfies 

1 r— 1 r* — I 

n n n 

= C{Py\x) - C{Pz\x) - 2e - - 

= aiP) - 2e - - (43) 

n 

where the last equality follows from Theorem |2] Consequently, for a large enough block length and a properly 
chosen (small) e, the code rate of the proposed scheme satisfies (l37l) . 
The choice of the vector b„ G ;)^n-fc-fe* j^^y ]jq carried arbitrarily. 



Part II: The equivocation rate analysis 

The confidential message vector, the transmitted codeword, and the received vector at the eavesdropper are denoted 
by the random vectors U, X, and Z, respectively. The equivocation rate of the proposed scheme Rs{Cn{A,M)) is 
given by 

R,{Cn{AM)) =-H{\J\Z) 
n 

= -^(U)--/(U;Z) 
n n 

= -|X|--/(U;Z) (44) 

n n 

Where the last equality follows since the message bit vector is of length \An\ and equiprobable. Using the chain 
rule of mutual information 

/(U, X; Z) =/(U; Z) + /(X; Z[U) 
=/(X;Z) + /(U;ZlX). 



14 SUBMITTED TO THE IEEE TRANSACTIONS ON INFORMATION THEORY, MAY 2010. 

Consequently, 

/(U; Z) =/(X; Z) + /(U; ZlX) - /(X; Z|U) 

^=V(X;Z)-/(X;Z|U) 
<nC7(P^|x)-/(X;Z|U) (45) 

where (a) follows since U ^^ X ^ Z is a Markov chain which implies that Z and U are statistically independent 
given X, and C{Pz\x) is the channel capacity of the marginal channel to the eavesdropper. The conditional mutual 
information /(X; Z|U) is given by 

/(X; Z|U) =-H'(X|U) - -^^(XIU, Z) 

^Mn\-H{X.\\],Z) 

>n{C{Pzix)-e)-l-H{X\\J,Z) (46) 

where (a) follows since the binary vector b* is chosen uniformly at random and it is independent with the confidential 
message, and (b) follows since \Afn\ = [nr*\ and r* = C{Pz\x) ~ ^■ 

Let Pe|u denote the error probability of a decoder that needs to decode X while having access to both the 
eavesdropper observation vector Z, the confidential message vector U, and the predetermined vector b„ (which is 
fixed, predetermined, and known to all the users in the model). Note that if both the confidential message U and the 
predetermined vector b„ are known at the receiver, then the remaining uncertainty in the codeword X relates only 
to the random vector b* of size Mn- Using Fano's inequality (see, e.g., ||5l), the conditional entropy ff (X|U, Z) 
is bounded according to 

H{X\V, Z) </l2(Pe|u) + ^e|U log(2l^"l - 1) 

<^2(Pe|u) + '^^*^e|U (47) 

where h2{x) = — xlogx — (1 — x) log(l — x) is the binary entropy function, from (l44l)-(|47]) it follows that 

Re{Cn{A,M)) >^\An\-e-^-^{h2 (Pe|u) + nr* P.^jj) (48) 

>R----{h2 (Pe|u) + nr*Pe|u) (49) 

n n 



where the last inequaUty follows from (1431 ) for a sufficiently small e and a sufficiently large n. The error probability 
Pe|U in ( l49l ) can be upper bounded by the error probability under the suboptimal successive cancellation decoder 
in 121, which is fully informed with both the predetermined vector b„ and the confidential message vector U. It 
follows from 131 that 

Pe|U<0(2--') 

which concludes the proof of (l38l ). 

Part III: The error performance at the legitimate decoder 

The successive cancellation decoding procedure at the legitimate receiver is analyzed. First, fix a vector v^ = 
{wi, . . . ,Wn) G ^" comprises of the information message u G X'^, the randomly chosen vector b* G X'^* , and 
the predetermined vector b G ^n-k-k' ^ rpj^g conditional block error probability is denoted by Pe|w- That is, Pe|^ 
is the probability of a block error event given that the input vector is w. Denote by w*^') = {wi, . . . , wi) the first / 
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bits of w, and by w^') = (wi, . . . ,wi) the first / decoded bits. The event 

corresponds to the case where the first / — 1 bits of w are decoded correctly and the first decoding error is in the 
l-th bit. Notice that 

where £i is the event defined in ( fT6] ). and Gj^ is the marginal split channel in (l24l ). Consequently, it follows using 
the union bound that 

Pe|w=Pr(ur=i-Fd w) 

< J]Pr(^KG«)|w). (50) 

Next, the summation in dSOl ) is split to two summations: a summation over the indices in An and a summation 
over the indices in J\fn- For an index / G An, it follows from Proposition [3] that for all w^ G Af" 

Pr(fKG(,'))|w)<i3(G«) (51) 

where B{Gn) is the Bhattacharyya parameter in (ITTT ). To address the probability of the event £i{Gn) where 



i 



I G Mn, notice that at the output of the marginal split channel, the decoding rule for wi in ( [36l ) is optima^. Recall 
the degradation property in Proposition [S] According to Proposition [5] the marginal split channel of the eavesdropper 
is physically degraded with respect to the marginal split channel of the legitimate user. Consequently, it is clearly 
suboptimal to first degrade the observations at the split channel of the legitimate user, and only then to detect the 
bit wi over the corresponding marginal split channel of the eavesdropper. Specifically, wi is detected according to 

^ ^ f if gi')(z,u;('-i)|0)>Qi'^(z,u;('~i)|l) 
1 1 else 

where z G Z^ is a degraded version of y G y^, randomly picked according to the probability law D{z\y) in (l30l ). 
This detection rule is inferior with respect to ( [36l ). Hence, based on Proposition [3j the upper bound 

Pr(£:KG«)|w) <i3(Q«) (52) 

holds for all / G Mn- From (l50l) . (|5TI ). and (l52l) . it follows that the average block error probability is upper bounded 

by 

Pe(C„(AAA)) < Y^ B(G«) + Y^ BiQll^). 
leA„ leJV„ 

The proof concludes using the bound on the polarization rate of the Bhattacharyya parameter in Theorem [3] and 
the specific choice of the sets An and J\fn- ■ 

Remark 3 (On communicating with full capacity). The noisy bits b*, defining the coset block code C* based 
on the noisy index set Mn (see eq. (ITSl)). are reliably detected by the legitimate user. It is therefore suggested to 
utilize these bits in order to communicate with the legitimate user. That is, instead of setting the bits in b* to noisy 
random bits, non-secret information bits are suggested to be set on b*. The non-secret information bits must be 
statistically independent and equiprobable. In addition, the non-secret information must be statistically independent 

As stated, this optimality is only under ttie setting of ttie split channel, and by no means implies optimality of the complete procedure 
(which is clearly suboptimal). 
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with the secret-information. These statistical properties allows the non-secret information bits to act as if they are 
noisy bits (where the eavesdropper is concerned). As a result of the cardinality of the index set An (l4TI ). the overall 
rate, including secret and non-secret information, is arbitrarily close the full (marginal) channel capacity of the 
legitimate user C{Py\x)- 

Remark 4 (The noisy bits must not be fixed). It is important to note that the bits in b* must be chosen at random 
for each block transmission. To see this, first note (based on the data processing inequality) that 

-I{K;Z) < -I{X;Z) (53) 

n n 

for all n > 0. Assuming that (1531 ) is satisfied with equality. It follows that both the legitimate user and the 

eavesdropper can reliably decoded the vector b* . Considering the current setting as if it is a broadcast communication 

problem over the given channel, a broadcast scheme is therefore provided where we can reliably communicated 

with the legitimate user at a rate arbitrarily close to its marginal capacity C{Py\x) ^^d at the same time with 

the eavesdropper at a (common) rate which is arbitrarily close to ^/(X; Z). This violates the fundamental limit 

imposed by the capacity region of the degraded broadcast channel (see, e.g., |[5J). Consequently, it follows that 

-I(b;;Z)<i/(X;Z) (54) 

n n 

for all n > 0. Next, since there is a one-to-one correspondence between the transmitted codeword X and the vector 

pair which is comprised of the random bits b* and the confidential message U (the vector b is predetermined and 

fixed), it follows that 

i/(X;Z) = i/(U,b*;Z) 
n n 

^=^i/(b*;Z) + -/(U;Z|b*) (55) 

n n 



for all n > 0, where (a) follows by the chain rule of mutual information. Hence it is observed from (l54l) and (1551) 

that 

-/(U;Z|b*) >0 
n 

for all n. This assures that if the vector b* is known to the eavesdropper, for example by choosing a fixed b*, 
perfect secrecy can not be established, not even in the weak sense. 

It is observed in lH, that if {Ri,Ri) is an achievable rate-equivocation pair and in addition, an additional 
information rate R2 is achievable without secrecy (that is, in the ordinary notion of reliable communication), then 
the [Ri + R2,Ri) is also an achieved rate-equivocation pair. The other direction is also provided in ||6j p. 411]. 
Following Remark |3] which suggests the option of communicating in full rate, and the observations in ||6l, it 
is expected that the entire rate-equivocation region is obtained with polar coding. This result is provided in the 
following corollary: 

Corollary 1 (The entire rate-equivocation region is achievable with polar codes). Under the assumptions and 
notation in Theorem |4l the entire rate-equivocation region is achievable with polar coding. 

Proof: Take a rate-equivocation pair {R, R^) in the rate-equivocation region defined in Q. Define Ri = R^, 
and R2 = R - Ri- Note that i?2 > as i?e < R- Consider the coset block code in (dUl. Since R^ < Cs{P), the 
rate Ri is achievable via the index set An- It is further detailed in the proof of Theorem HI that the information 
transmitted via the indices in An is secure. Specifically, it follows from (l48l ) that the equivocation rate is arbitrarily 
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close to :^I^ra|. As explained in Remark [3l reliable communication (not necessarily secure) of an additional rate of 
up to the capacity C{Py\x) of the marginal channel to the legitimate user, is achievable. Therefore, the additional 
rate R2, is achievable either via the remaining indices in An and the vector b* corresponding to the indices in AA„. 



C. Secrecy Achieving Properties for Erasure Wiretap Channels 

In this section, a particular case of binary erasure wiretap channel is considered. Specifically, it is assumed that 
the channel to the legitimate user is noiseless, and the channel to the eavesdropper is a binary erasure channel 
(BEC) with an erasure probability 6, is considered. Recall that the set sequence Mn of the indices that correspond 
to "good" split channel to the eavesdropper, is chosen as to achieve the capacity to the eavesdropper. As the channel 
to the legitimate user is noiseless, that is y = x, the set sequence An and is set according to 

An = [n]\Mn. (56) 

Note that for this particular case &„, = 0. The resulting coding scheme is then a particular case of the coset coding 
scheme in |[T2l where the base code is determine by the generator matrix G„(AA„) and the actual coset is determined 
by uGn{An) where u is the transmitted information bits (the secret message) and G„ is the polar generator matrix 
for a block length n. Specifically, the codeword x is given, based on(|T9l). by 

X = uGniAn) + KGniMn). (57) 

The rate and reliability properties in this particular case follows immediately as a result of Theorem |4l That is, 
the rate approaches the secrecy capacity, which in this case equals 6, and the legitimate user obviously can decode 
the transmitted message. As in the second part of the proof of Theorem |4l the confidential message vector, the 
transmitted codeword, and the received vector at the eavesdropper are denoted by the random vectors U, X, and 
Z, respectively. The following lemma address the entropy measure if (U|Z). 

Lemma 1. Under the assumption and notation for the consider binary erasure wiretap channel, the entropy H(\J\Z) 
satisfies 

H{\J\Z) >n(^(l-c2-"'') 

where 5 is the erasure probability of the wiretap channel, and c > 0. 

Proof: Let us fix a particular realization of the channel erasure sequence q Denote by V the set of fj, indices 
which are not erased. That is, the eavesdropper received the bits Xi for every i ^ V, and erasure symbols for 
every index in V^ = [n] \ V. Consider the \J\fn\ x n matrix {G„(A/"n)}. As the generator matrix G„ for the polar 
construction has a full rank (for every n in the construction), the matrix Gn{Mn) has a rank J\fn- Therefore, it is 
a generator matrix for a binary linear block code of dimension Mn- This code has a parity check matrix of size 
\An\ X n, denoted by if„ (recall that A is given by ([56l)). Since all the information bits are equiprobable, and 
all the noisy bits are also equiprobable, the codeword X, given by ( fT9l ). id uniformly distributed over all possible 
binary vectors in {0, 1}". Consequently, all the bits in X are independent and identically distributed uniform binary 
random variables. Hence, if (X|Z) = n — fi. In addition, note that if the codeword X is known, then information 

This case is studied in 1121 . and some parts of the provided proof are based on proper presentation of the techniques developed in 1121 
for the case at hand. 
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bits U are fully determined for the considered polar coding scheme. It follows that 

iJ(U|Z) = i?(U|X, Z) + i?(X|Z) - i^(X|U, Z) (58) 

= m-^-F(X|U,Z). (59) 

Note that ^S^ is a restatement of HH Eq. (5)], and (|59ll is a restatement of lHH Eq. (6)]. 

Next, fix a realization Z = z € {0,1}" and U = u G {0, l}'-^"'. From (|57] ). it follows that the erased bits 
{Xjjjgx"^ satisfies the linear equations 

Y, X^ {Hn\ = HnUGn (A) + J] ^^ (^n), (60) 

where {Hn)i is the i-th column of the parity check matrix Hn- The number of solutions to (l60b is given by 

where d ({(//„)j}^ p) is the dimension of the linear space spanned by the the column vectors in {(//„)j}^ ^. 
Since all the solutions for the erasures Xi, i £1), are equally likely, it follows that 

H{X\U = u,Z = z) = n-fi-d ({(//„)a,g^) . (61) 

From (I59ll and (I6B, it follows that 

H(U\Z) = Ed{{iH^)^}^^^). (62) 

As the information indices Mn for the eavesdropper are chosen such that it can decode the noisy bits b* with an 
error probability of 0(2~" ), it follows that 

H(IJ\Z) >E{d ({(^n)J,ex)) I, correct decoding) (1 - 02""') (63) 

= n(5(l-c2-"') (64) 

where c > and S is the erasure probability of the eavesdropper channel. ■ 

Remark 5 (All coset must be equally likely). In the current discussion, the secrecy polar coding scheme is applied 
with Bn = 0. This fact is crucial for the proof of Lemma [T] It is conjectured that this choice may be crucial to 
achieve the entire secrecy capacity under the strong secrecy condition. 

Remark 6 (On possible stronger notion of secrecy). Consider the conditions in Theorem |3] In particular, not 
that the rate R < C{p) is kept fixed for the polarization structure of the code. If, it be possible to construct the 
sequence of polar codes, with a sequence of blocklength dependent rates Rn having the property that 

(X 

Rn > C{p) - — (65) 

n ' 

where a > and 7 > 1 are arbitrarily fixed parameters. Then, it will follow as a corollary of Lemma [1] that a 

strong notion of secrecy is guaranteed. That is, the entropy H{\J\Z) is arbitrarily close to H{\J). To see this, note 

that if polarization is possible while satisfying ( [65] ). it follows that 

\Mn\>n[l-6-^). 

Consequently, 



H{\J) = \A„\ = n-\Afn\=n5 + — 



a 



n^ 
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Hence i:f(U|Z) is lower bounded by a quantity which is arbitrarily close H{\J) as the blocklength increases. For 
the particular case of the BEC, it follows from 121 Eq. (34)-(35)], that the considered question requires the analysis 
of the following sequence 

\{iG[n]: Zl,<Ce^'}\ 

where {^n}jG[n] is a sequence, generated recursively according to 

where i G [k] and Z\ = 5. 

IV. An open polarization problem and the GENERAL WIRETAP CHANNEL 

An open polarization problem is presented in addition to a conjecture which suggests a possible solution. A polar 
secrecy scheme for non-degraded wiretap channels is provided based on suggested conjecture. 

A. On the polarization of the 'bad' indices 

Let W = {Wi,...,Wn) be a random vector, where {Wi}"^^ are statistically independent and equiprobable 
Pr(VFj = 0) = Pr(l^j ~ ^) ~ h ^'^^ ^^^ ^ ^ W- ^^^ random vector W is polar encoded to a codeword X = G^W, 
where G„ is the polar generator matrix of size n. The codeword X is transmitted over a binary input DMC p, 
whose output alphabet is 3^. The received vector is denoted by Y = (Yi, . . . , y„). For a given vector W and a set 
AQ [n], the following notation is used 

where ii < ^2 < • • • < i\^\ and i^ ^ A for all k € [|^|]. Define the following quantities of mutual information 

/,^/(Ty,;W[,_i],Y), ie[n]. (66) 

The following polarization of mutual information is the key result in 111, ||3l: 

Theorem 5 (On the polarization of mutual information |2|). Assume that p is a binary-input output-symmetric 
DMC whose capacity is C(p), and fix < 5 < 1. Then, 



lim (- {i G [n] : /, e (1 - 5, 1]} ^ = C{p) 
lim {- {i G [n] : /, e [0, 5)} ") = 1 - C{p) 



Denote by An the set of indices for which the corresponding mutual information quantities li, i ^ An, are 
arbitrarily close to 1 bit (for a sufficiently large n). The set An is called the information index set. This is the very 
same index set in Theorem |3l of 'good' split channels whose corresponding Bhattacharyya constants approach 0. 
Let A'n C An and let 5„ C An- We define the index sets 

Vn=A'U Sn 
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and 

A problem of interest lies in the |Dn[ quantities of mutual information: 

J^ ^IiW^■, W^(., , W7?.„ , Y) , ieVn. (67) 

For the indices in A'^ a straight froward answer is provided: 

Lemma 2 (on the indices of 'good' split channels). Fix a < 6 < 1 and an index i G A'^- For sufficiently large 

n 

J,: > 1 - <5. 

Proof: As the mutual information Jj in ( [66l ) includes a subset of the random variables in J^ in ( [67] ). it follows 
that 

Ji > h- 

The proof concludes using Theorem |5] as A'^ C An- ■ 

According to Lemma |2] 'good' indices for which the mutual information quantities /, approach 1 bit, remain 
'good' with respect to the mutual information Jj. The characterization of the 'bad' indices seems at this point to 
be a greater challenge. A conjecture for possible polarization properties of the mutual information quantities Ji 
in (|67] ) is provided for the ('bad') indices in 5„. Two possible polarization properties are considered: 

Conjecture 1 (On possible polarization dichotomy). Fix a < 5 < 1. There exists a partition of .S^ to two sets 
S'^ and .S^' = Sn\S'^, such that for a sufficiently large n 

J^ < 6, for all i G S^ (68) 

J^>l-6, for all i e S'^. (69) 

Remark 7 (On degenerated and non-degenerated possible partitions). One of the possible option resulting 
from Conjecture [His that S'^ = 5„. In case where this degenerated partition is proved to be correct, then it follows 
that the additional information provided by the bits in Wpc^ do not alter the known polarization of the mutual 
information quantities Jj in ([66] ). The non-degenerated partition of 5„ offers (in the case it is proven to be correct) a 
dichotomy of the indices in iS„. Accordingly, either the former polarization remains or alternatively the knowledge 
of the bits in Wx)^ completely changes the orientation of the polarization. The size of S^ U A'^ must satisfy 

\S':uA'j'^\A'n\ + \A:\<nC{p). (70) 

Equality (a) in ([70] ) is obvious as the sets A'^ and iS„ are disjoint. Violating the inequality (b) in ([70] ) results in 
violating the coding theorem for a DMC as the input bits to the split channels specified by the set .S^' U A'^ can be 
reliably decoded (This can be shown in a similar fashion as in fH). 

Remark 8 (On a particular trivial case where Conjecture [1] is true). There exists an option where Conjecture[T] 
is trivially proved as a particular application of Theorem [5] Specifically, assume that for every index i € P„, it 
follows that 

In that case, the degenerated partition in Remark [7] foUows as an immediate particular case of Theorem [5] 
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B. A polar secrecy scheme 

In this section, a polar secrecy scheme is provided assuming that Conjecture [T] is true. The same notation and 
definitions of the coset code defined in Section IIII-AI are assumed. The transmitted codeword x is defined in ( fT9l ). 
This definition is based on the index sets An and Mn- The secure information bits are considered as if they are 
being transmitted over the split channels whose indices are in An- Over the split channels whose indices are in 
Mn, noisy bits are attributed. The polar secrecy scheme is provided in Section |lll] by a proper choice of the sets 
An and Nn- The degradation property in Section |lll] assures that the indices which correspond to split channels 
which polarize to 'good channels' for the eavesdropper, also polarize for 'good channels' for the legitimate user. 
This clearly does not necessarily follow for the general not-degraded case. 

For the general wiretap channel, indices that are 'good' for the eavesdropper may not be 'good' for the legitimate 
user and vice-versa. A binary-input symmetric wiretap channel is assumed. As in the construction detailed in Part I 
of the proof of Theorem |4l the sets An and An of 'good indices' are considered. The sets An and Mn include 
the indices for which the Bhattacharyya parameters of the corresponding split channels approach zero as the block 
length approach infinity. Specifically, fixing r < C{Py\x) and r* < C{Pz\x), the conditions in (l39l)- (|42l) follow. 

Define the index set 5„ = An\Mn of indices which are 'good' for both the legitimate user and the eavesdropper. 
According to Conjecture [1] the set Sn can be partitioned into two index sets 5^ and 5^', satisfying the polarization 
properties in (I68l)-(l69l) where An is replaced by Mn, and A'n is replaced by An n A^. Next, the set Mn is defined 
according to 

Mn={Anr\Mn)yjS';, (71) 

and the set An is defined to be the remaining indices in Sn, that is 

A - S' 

As explained in Remark |7J the term -|A/'n| can not exceed the capacity of the eavesdropper marginal channel. 
Consequently, the size of 5^ can be chosen such that ^|5^| is arbitrarily close to C{Py\x) — C{Pz\x)- 

Next, the same coset coding scheme defined in (fT9l) is applied to the case at hand (with the new construction of 
the sets An and Mn)- As the information rate -|^n| of the considered scheme may be chosen arbitrarily close to 
C{Py\x) — C{Pz\x), the same coding rate as in Theorem |4] is obtained. The decoding reliability at the legitimate 
user is clear and follows the same proof as for the degraded case (note that all the noisy bits in the considered 
scheme are 'transmitted' over the split channels that are 'good' for the legitimate user). It is left to establish that 
the equivocation rate can approach the information rate of the considered scheme. 

C- Analysis of the equivocation rate 

As explained in Section ITlI-A[ the bits b„ corresponding to the indices in Bn are predetermined and fixed. These 
bits are known both to the eavesdropper and the legitimate user. For each blocklength n, consider the ensemble of 
coset codes corresponding for all the possible selection of fixed bits b„. An analysis of the equivocation rate where 
the coset code is chosen in random is considered. Specifically, it is assumed that the actual code is chosen from the 
ensemble by picking the bits in b„ in random. The random selection of the bits in b„ is carried independently and 
identically. Each bit is picked at random with an equiprobable probability, Pr(0) = Pr(l) = i. In addition, it is 
assumed that the random selection of b„ is independent with the random noisy bits in b* and the secret message. 
It is important to distinguish between the ransom selection of a code and the noisy bits b*. The random selection of 
code is part of our analysis, this selection (i.e., the bits in b„) is known to both the legitimate and the eavesdropper. 
In contrast, the random noisy bits b* are immanent part of the encoding procedure and they are unknown to both 
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the legitimate user and the receiver. The noisy bits b* are picked randomly, each independent with the others, and 
with a uniform probability. The information bits are also assumed to be independent and equiprobable. 
The secrecy properties of the suggested scheme is considered in the following proposition: 

Proposition 6. Consider the polar secrecy scheme in Section IIV-BI whose transmissions take place over a binary- 
input memoryless symmetric wiretap channel. Then, there exists a bit vector b„ for which the equivocation rate 
satisfy the secrecy condition in (l38l ). 

Proof: Denote by W the random binary vector comprises the random bits in b„, b* , and u in the encoding 
procedure ( fT9l ). and by Z the random vector received at the eavesdropper. According to the considered assumptions, 
all the bits in W are independent and equiprobable. It follows using the chain rule of mutual information that 

/(W^„ , W^„ ; We„ , Z) = /( W^„ ; Wb„ , Z) + /( W^„ ; We„ , Z | W^„ ) 

= /( W^„ ; Wb J + /( W^„ ; Z I We J 
+ /( WAr„ ; We„ I W^„ ) + /( WAr„ ; Z | W^„ , V^b^ ) 
= H{Wa„ ) - ^( W^„ I Z, Wb„ ) + /(W^„ ; Z I W^„ , We„ ) (72) 

where the last equality follows since W^^, W;v'„. and Wg^^ are independent. As the set Mn comprises indices 
of split channels which polarize to perfect channels, the bits in W^^ can be reliably decoded at the eavesdropper 
based on perfect knowledge of the remaining bits and the received vector (this is shown in a similar fashion to [2|). 
Hence, the decoding error probability Pe(W^c ) of the bits in W^^ based on the received vector and the remaining 
bits Wjv"^, can be made arbitrarily low. As a consequence of Fano's inequality it follows that 

lAA„|>/(WAr„;Z I Wa.,WbJ 

= H{W^„ I W^„ , Wb„ ) - H{W^f„ I Z, W^„ , Wb„ ) 

> H{W^fJ - h2{Pe{WM^)) - |AA„|Pe(W^c) (73) 

where /i2 is the binary entropy function. For a sufficiently large block length n, the expected decoding error 
probability approaches zero. Consequently, ^I{'Wj\f^;Z \ W^^,We^) can be made arbitrarily close to ^lAAn]. It 
follows from ^^ and (|73]) that 

-H{WaJ Z, WbJ > Mi^ + 1^ - e„ - i/(W^„, W^j Wb„,Z) (74) 

n n n n 

where e„ > and approaches zero as n grows. 

Based on Conjecture [U the mutual information -/(W^^, W^^; Wg_^, Z) can be shown to be arbitrarily close 

to -|A/'„|. Using the chain rule of mutual information it follows that 



/( WAr„ , W^„ ; We„ , Z) = J] /( Wi ; Wh„ , Z I W_^<o , W^<o ) 

+ Y, I{Wi; We„ , Z I W_^(., , W^<., ). 
= J] /( Wi ; W_^(., , W^(., , Wb„ , Z) 
+ Y, ^( Wi ; W_^(., , W_4U) , Wb„ , Z) . (75) 

^eAr^ 

where the last equality follows as all the bits in W are independent. For every index i G Mn, it follows from 
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Lemma |2] and Conjecture \T\ that 

I{Wi; W^(., , W^« , Wb„ ,Z)>1-5. (76) 

In addition, for all the indices i € An it also follows from Conjecture [T] that 

I{Wi; W^(., , W_^(., , Wb„ ,Z)<6. (77) 

From dTS]), ^ and dTT]) it follows that 

-/(W^„, W^„; Wh„,Z) < ^ + '^'-^"' 



n n n 

< ^ + <5. (78) 

n 



Hence, based on (1741 ) and (1781 ) we end up with 

-if(W^J Z,WeJ>-|A,|-e„-5. 
n n 

As 5 can be fixed arbitrarily small, and e„ approaches zero, the equivocation rate can be made arbitrarily close to 

^\An\ which assures the secrecy property of the provided scheme. ■ 

V. Summery and Conclusions 

A polar secrecy scheme is provided in this paper for the two-user, memoryless, symmetric and degraded wire- 
tap channel. The provided polar codes are shown to achieve the entire rate-equivocation region. Our polar coding 
scheme is based on the channel polarization method originally introduced by Arikan [2J for single-user setting. For 
the particular case of binary erasure channel, the secrecy capacity is shown to achieve the secrecy capacity under 
the strong notion of secrecy. 

Proving (disproving, or finding a counter example) Conjecture [T] is the main interest in the continuation of the 
research discussed in this paper. The following generalizations are of additional possible interest: 

1) Non-binary settings: In light of the recent results by Sasoglu et al. fT|, a generalization to the non-binary 
setting may be a straight forward generalization. 

2) Secrecy polar schemes for non-symmetric wiretap channels, based on the non-binary polarization provided 
in [71. 

3) Polar coding for a broadcast channel with confidential messages. The particular case of degraded message 
sets over a degraded channel is first considered. 

4) Strong secrecy properties: As noted, the provided scheme is shown to provide weak secrecy. It is of great 
interest to find out if this scheme can also provide strong secrecy. 

5) Generalized polar secrecy-schemes based on the ideas in El, ll8l- llT0l . 

6) Combing the polar scheme with the MAC approach for the wiretap channel (see, e.g., llTT) \ 
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